Internal Control (As defined by COSO in 1992)
A process or system designed by an organization's board of directors, management and/or other executives to provide reasonable assurance that the following objectives are met:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Controls are important to provide reasonable assurance that errors, unintentional mistakes, or frauds, intnetional acts to get an unfair or unlawful gain, don't have an adverse effect on an organization in any of the three areas, operations, financial reporting, or compliance. There are three main types of controls, preventative, detective, and corrective controls. Preventative controls help prevent errors or frauds. Detective controls indicate that an error or mistake has occurred. Corrective controls are designed to correct errors or frauds that have already occurred.
Internal Control is comprised of 5 components:
Control Environment: (Tone at the Top reflects the entire control system) Provides the foundation of internal control of an organization. The purpose of the control environment is to create an atmosphere that exemplifies the ethical values and attitudes of an organization (i.e. the tone of an organization). The term tone relates to the attitudes and work ethic of people associated with the entity. "Tone at the top" is often used to describe how these values are spread across all facets of an organization from top level executives down to production workers. These values and attitudes portrayed by management trickle down the internal structure of an organization to reflect the entity's beliefs, awareness and dedication to the overall importance of control. Thus, the tone management wants to accomplish starts at the top as they attempt to set a good example for employees down the chain of command. Organizations may use many methods to accomplish the molding of a successful control environment. One such method is the use of corporate codes of conduct, which influence ethical behavior by requiring employees to sign a contract of sorts that gives an outline of acts that are considered illegal or unethical. The ultimate goal is for management to set an example so as to make the organization as a single unit control conscious.
Risk Assessment: (What is the likelihood of the risk occurring and what is its financial impact) identifying and analyzing the effects certain risks may impose on the success an organization's objectives. Deals with two Assessing the risks provides a basis for determining how the risks should be managed appropriately. Examples of different types of risks include currency risk, investment risk, credit risk, and trade risk.
Control Activities: (Are we going to accept the risk, reduce the risk, share the risk or avoid the risk?) Policies and procedures put in place to make sure that the strategic objectives as defined by management are carried out. Practices, policies, software settings, and other procedural guidelines put in place by management to reduce the risk of fraud or error that can result in finanacial misstatements. They are actions taken by management to mitigate the risk that a control objective will not be achieved.
Information and Communication: People of an organization need to be aware of their responsibilities. Communicating to employees information that they can understand is vital to the structure of an entity. In order for employees to understand the role they play, management needs to make sure that information is identified, captured, and exchanged in a timely fashion so as to allow employees to understand and perform their assigned responsibilities.
Monitoring: (Continuous evaluation of the whole process) A continuous process that assesses the quality of internal control of an organization. It is the final component of ERM, but it should not be considered a final activity.
Business Process Control Goals
Control goals of operations processes:
Effectiveness: A measure of success in meeting one or more goals for the operations process. Making sure that a specific operations process is doing what it is suppose to do. Are we meeting our business objectives?
Efficiency: A measure of the productivity of the resource applied to achieve a set of goals. Related to cost vs. benefit. If the cost of a resource is greater than the benefit, then the system may be deemed inefficient. Are we using resources such as people and computers in the most efficient way?
Security of resources: Protecting an organization's resources (such as cash and information) from loss, destruction, disclosure, copying, sale, or other misuse. The protection of both tangible and intangible resources of an organization.
Control goals of information processes:
Input validity: Input data are appropriately approved and represent actual economic evens and objects. Did the purported events actually take place?
Input completeness: All valid events or objects are captured and entered into a system. Are all events captured?
Input accuracy: All valid events must be correctly captured and entered into a system. A process designed to minimize discrepancies and uncover errors.
Update completeness: All events entered into a system must be reflected in the respective master data. Goal to minimize and uncover errors that occur through programing errors and operational errors (did someone miss a step?). A way to uncover this is to understand what should have happened.
Update accuracy: Data entered into a system must be reflected correctly in the respective master data. Related to Update Completeness. Did the system produce the expected outcome?
A Control Hierarchy
The Control Environment: The first level of the hierarchy; the overall policies and procedures that demonstrate an organization's commitment to the importance of control. It comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans.
Pervasive Control Plans (Chapter 8): The second level of the hierarchy; address multiple goals and apply to many processes. They provide a climate or set of surrounding conditions in which the various business processes operate. They are broad in scope and apply equally to all business processes; they pervade all systems.
Business Process Control Plans (Chapters 9-14): The third level of hierarchy; applied to a specific business process, such as billing or cash receipts for example. They relate to a specific AIS process or to the technology used to implement the process.
Application controls - automated business process controls contained within IT application systems.
Introduction to Internal Control:
Internal Control (As defined by COSO in 1992)
A process or system designed by an organization's board of directors, management and/or other executives to provide reasonable assurance that the following objectives are met:
Controls are important to provide reasonable assurance that errors, unintentional mistakes, or frauds, intnetional acts to get an unfair or unlawful gain, don't have an adverse effect on an organization in any of the three areas, operations, financial reporting, or compliance. There are three main types of controls, preventative, detective, and corrective controls. Preventative controls help prevent errors or frauds. Detective controls indicate that an error or mistake has occurred. Corrective controls are designed to correct errors or frauds that have already occurred.
Internal Control is comprised of 5 components:
Business Process Control Goals
Control goals of operations processes:
Control goals of information processes:
A Control Hierarchy